HAVE QUESTIONS?

SAP Security Notes July 2012 – Review

SAP has released monthly critical patch update for July 2012. This patch update closes 20 vulnerabilities in SAP products (17 with high priority and 3 with medium).
The following problems were found:

5 missing auth checks

3 XSS

2 information disclosures

1 code injection

There is not so many vulnerabilities as there normally is but some major architectual problems were closed, which will be discussed by us at BlackHat USA and have been found by ERPScan researchers Alexander Polyakov, Dmitriy Chastukhin, Alexey Tyurin and Alexander Minozhenko. The vulnerabilities affect XML parsing engines in Process Monitoring and Process Integration engines. Both vulnerabilities allow escalation of privileges and access to sensitive technical and business-related information stored in a vulnerable SAP system or connected systems.

The detailed list of corrected vulnerabilities is below:

A vulnerability in SAP Process Integration. Update is available in SAP Security Note 1723641. The criticality level is 5.0 according to CVSS. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system, execute a DoS attack and exploit the connected systems. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.

A vulnerability in SAP Process Monitoring. Update is available in SAP Security Note 1721309. The criticality level is 3.5 according to CVSS. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.